Matt Nicholson's take on the computer industry

Security glossary

From anonymous proxies to zombies through boot viruses, botnets, cross-site scripting, decoy scanning, denial of service, Google hacking and honeypots, keystroke logging, pharming and phishing, rogue diallers, rootkits, spiders, trojan horses and worms – a glossary of the tools and techniques used by those who want to break into your computer system.

Originally published on DNJ Online, May 2006

Anonymous proxy: A proxy server that hides the attacker’s machine by stripping its IP address from the request. All you see is the IP address of the proxy server.

Auto-encryption: Where a program encrypts part or all of itself, making it more difficult to analyse.

Back door: Where a developer deliberately includes undocumented commands that gives him or her unauthorised access to the system.

Banner-grabbing: Most operating systems display some sort of ‘banner’ detailing operating system type and version at some point during the log-on process. Getting a system to display its banner can provide the hacker with useful information.

Boot virus: A virus that infects the boot sector of a hard or floppy disk so that it gets executed when the machine is powered up or rebooted. Particularly popular when floppy disks were used to transfer data from machine to machine as users often forgot to remove them before shutting down, with the result that the boot virus got executed next time the machine was powered up.

Bot: A program that interacts with other programs as though it is a user. A bot (short for ‘robot’) can be used to gather information or perform malicious actions. Communication between the attacker and the bot is usually through an IRC channel.

Botnet: A network of zombies that can be controlled by the attacker from a central location. The creator of a botnet may rent it out to spammers, people who want to launch a DDoS attack, and so forth.

Brute force attack: Where an attacker uses a program to automatically try and log in to your system hundreds of times a second using different login details each time. Can be circumvented by preventing more than a certain number of successive attempts from the same IP address, or by introducing a short delay between the login details being entered and the application responding.

Buffer overflow attack: Where the attacking program tries to store more data in a buffer than it was intended to hold. If the program does not truncate the data or throw an exception then the excess will overwrite adjacent memory, and could be designed to insert instructions that cause another program to be run.

Cookie poisoning: Where an attacker edits the cookie that your program creates on his machine. Under ASP.NET you can combat cookie poisoning by arranging for your Forms authentication cookie to be both encrypted and integrity checked.

Cracker: Someone who attempts to break the security of a system.

Crawler: See spider.

Cross-site scripting (XSS): A Web application is vulnerable to XSS if an attacker can inject code that will be executed on the user’s machine without the user knowing. This could be done by creating a link that directs the user to the site but includes malicious JavaScript statements in the URL. If the site is vulnerable then these statements would be returned to the user and executed within their browser.

Daemon: From the Unix world, this is a program that runs as a background process, rather than under direct user control. Traditionally, a spirit from Greek mythology that could do good or evil.

Decoy scanning: Where a program performs a port scan of your system from a decoy machine that hides the attacker’s true location.

Denial of Service attack: Where an attacker bombards the target server with so many requests that it cannot respond to legitimate users.

Dictionary attack (or crack): Passwords are usually hashed using publicly available algorithms. A dictionary attack involves creating a list of millions of potential passwords in a hashed form and looking up the hash to find the original password. Combining numerals and punctuation marks with letters massively increases the potential number of passwords, making dictionary attacks much harder.

Distributed Denial of Service (DdoS) attack: A Denial of Service attack that originates from multiple client computers. Usually instigated using a botnet.

Diversions: An attack intended to distract the system administrators from the real danger.

DMZ (Demilitarised Zone): A place on your network for servers that need to be visible from the Internet, such as Web and email servers.

Exploit: A program that uses a known vulnerability to attack a system.

Form injection: Where an attacker directly manipulates the data that is returned when a form is submitted to a Web server.

Google hacking: The spiders that retrieve data for the Google search engine will quite happily return confidential data that you have inadvertently left on your Web site, as a search for ‘internal use only’ will quickly reveal. Google hacking is the art of using Google to assist in an attack.

Hacker: Traditionally someone who enjoys programming and exploring computer systems, but now synonymous with cracker. Sometimes divided into ‘black hat’ and ‘white hat’ hackers, depending on their intentions (in early cowboy movies it was usual for the bad guys to wear black hats and the good guys white hats).

Hash: A function that converts a string into another string of fixed length in such a way that it is very hard to reverse the process and extract the original. Passwords should always be stored in a hashed form.

HEAD request: A request to a Web server that returns its type and version.

Honeypot: A relatively unprotected computer, containing what appear to be important documents, that is attached to the Internet for the purpose of observing attacker behaviour.

Honeynet: The Honeynet Project describes itself as “a non-profit volunteer research organisation dedicated to improving the security of the Internet.” One of its main tools is the honeynet, which is a network of honeypots.

IDS: Intrusion Detection System.

Identity theft: Stealing the information necessary to persuade a third party that you are someone else, such as a system administrator or an account holder.

IRC channel: Internet Relay Chat (IRC) is an open protocol that supports real-time text conversations across the Internet. Conversations take place within channels.

ISO 17799: A code of practice for information security management which is published by the International Standards Organisation. It is aimed at senior management rather than technical staff, although it does include a section on system development.

Keystroke logger: A form of spyware that captures and saves user keystrokes, so enabling the attacker to capture usernames and passwords. Keyloggers can be overcome by having users select letters from a drop-down menu, but see Screen grabber.

Passive attack: Where the attacker simply monitors communication between two parties, perhaps through a packet sniffer. Such an attack is very hard to detect.

MAC spoofing: Every device that can be networked is allocated a unique Media Access Control (MAC) address that is intended to uniquely identify it on the network. However some devices allow you to manually change their MAC address to anything you like.

Mail Spoofing: An email that appears to come from someone other than the person who sent it. SMTP servers allow you to enter anything into the sender address when you create an email, and many viruses use this technique to send emails from compromised machines that seem to come from someone known to the recipient.

Malware: Any program that contains malicious code.

Man-in-the-middle attack: Where the attacker or the attacking program sits between the sender and the receiver in such a way that both parties think they are talking to each other, when in reality they are both talking to the attacker.

Memetic virus: A trojan horse that’s convincing enough for the receiver to send it to their friends. Derives from Richard Hawkins’ concept of ‘memes’ as ideas that propagate in much the same way as genes.

Network protocol analyser: Software that enables you to view the traffic passing through a network in its raw state, including passwords that have not been encrypted. Particularly effective on wireless networks that have not been effectively secured.

Packet sniffer: See Network protocol analyser.

Pharming: Manually changing the IP address of a record on a DNS server so that calls to a particular URL are diverted to the attacker’s Web site.

Phishing: Persuading users to divulge sensitive information, such as passwords or credit card details, by posing as an email from a trusted person, or as the Web site of a trusted organisation.

Ping sweep: Automated sweep of IP addresses using the Ping command.

Polymorphic virus: A virus can encrypt itself with a different code each time it infects a file, which makes it harder to detect. Such a virus has to include a decryptor if it is to run as intended, but there are many ways in which the decryptor can be written. For example, NOP (No Operation) instructions and loops can be inserted into the code at random places to create potentially millions of variations.

Port scan: Automated sweep of ports on the target machine to find any that are open that could be used to provide a back door. It can be detected by an IDS and shows up in log files.

Rogue dialler: A form of Malware that finds a modem on the target machine and uses it to dial premium-rate numbers without the user’s knowledge, until they receive an unexpectedly large phone bill.

Rooted: Have complete unauthorised access to a system (‘root’ is the Unix equivalent to an administrator account). A computer that has been successfully attacked with a rootkit is also said to have been ‘rooted’.

Rootkit: A set of tools that attackers can install on target systems to cover up any trace of their presence. This is often achieved by replacing the administration tools that come with an operating system, or even kernel-level device drivers, with modified versions. Many rootkits also include tools for building back doors, keystroke loggers and so forth.

Screen Grabber: A form of Spyware that captures a movie of the contents of the screen for later retrieval by the attacker.

Session hijacking: Where an attacker obtains a valid session ID that allows him to hi-jack communication between a user and a system without the system knowing.

Shell access: Access to the command prompt of the shell program.

Social engineering: Manipulating a social interaction so that your victim unwittingly divulges information or gives you access to a restricted area. Social engineering can range from rifling through a company’s dustbins to posing as someone from technical support. Phishing is another term for social engineering.

Spam relay: Where a compromised computer is used as a relay to forward spam emails, making the originator harder to trace.

Spider: A bot that automatically browses the Web by following the hyperlinks. Spiders (also called crawlers) are used by search engines, and also by attackers looking for email addresses.

Spyware: A program that sits on the user’s machine collecting information about their activities without them knowing.

SQL injection: Where an attacker directly enters SQL commands into an application.

Steganography: A technique for hiding data or program code within an image file by scattering fragments throughout the file. The image will open quite normally within programs such as Internet Explorer or Adobe Photoshop, but the hidden data can be extracted using special utilities.

STO (Security Through Obscurity): Where sensitive information is made secure by, for example, hiding it in a file with a non-descript filename. A useful technique but only if the information is also encrypted and integrity checked in case an attacker does identify its whereabouts.

Telnet: A TCP-based protocol that allows users to interact with servers across the Internet through a command-line interface.

Tiger team: Originally a military term used to denote a team whose job is to penetrate the security of a ‘friendly’ installation. Sometimes used to refer to professional penetration or security testers (also known as ‘white hats’).

Trojan horse: The vehicle used by the attacker to persuade the user to run the payload. A typical example is an email with an attachment that appears to be an image file but is actually an executable, or a URL that appears to go to a legitimate site but actually takes the user somewhere else.

Virus: A program that is designed to search out and ‘infect’ a particular executable by inserting a copy of itself that will be executed when its target is executed, so turning its target into a trojan horse.

Warez dump (or server): A server used to store pirated software without the knowledge of its owner.

Worm: A program that is designed to copy itself across a network.

Zero-day exploit: The best time to use an exploit is within 24 hours of the vulnerability being announced, as many administrators won’t have got around to applying the patch.

My links

Administration

This site is a participant in the Amazon EU Associates Programme, an affiliate advertising programme designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.co.uk.